hchaverri commented on code in PR #5897: URL: https://github.com/apache/hadoop/pull/5897#discussion_r1278035871
########## hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/SQLDelegationTokenSecretManager.java: ########## @@ -46,6 +50,9 @@ public abstract class SQLDelegationTokenSecretManager<TokenIdent private static final String SQL_DTSM_TOKEN_SEQNUM_BATCH_SIZE = SQL_DTSM_CONF_PREFIX + "token.seqnum.batch.size"; public static final int DEFAULT_SEQ_NUM_BATCH_SIZE = 10; + public static final String SQL_DTSM_TOKEN_LOADING_CACHE_EXPIRATION_MS = SQL_DTSM_CONF_PREFIX + + "token.loading.cache.expiration.ms"; + public static final int SQL_DTSM_TOKEN_LOADING_CACHE_EXPIRATION_DEFAULT_MS = 10000; Review Comment: The concern is not only with deleting tokens from SQL that have been renewed, but also with tokens being stale in the cache. If a router has a stale token that has been renewed somewhere else, the router will throw an authentication error since the token in memory is expired. We should keep this value low enough so the renewal is propagated to all routers quickly enough. Same reason for cancellations. I can see us tweaking this value to balance the impact on SQL. The removal scan won't actually help much with token cleanup as we only expect 10 seconds of tokens to be candidates for cleanup. We need a separate mechanism to query SQL for all expired tokens and delete them, but I think we should track that separately. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org